Add deletionProtection for releases

Signed-off-by: Nicolas Bigler <nicolas.bigler@vshn.ch>
vshn · Oct 16, 2024 · b06d898 · b06d898
1 parent 88cb04c
commit b06d898
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 0 deletions.
diff --git a/cmd/controller.go b/cmd/controller.go
@@ -157,5 +157,10 @@ func setupWebhooks(mgr manager.Manager, withQuota bool) error {
 		return err
 	}
 
+	err = webhooks.SetupReleaseDeletionProtectionHandlerWithManager(mgr)
+	if err != nil {
+		return err
+	}
+
 	return webhooks.SetupPVCDeletionProtectionHandlerWithManager(mgr)
 }
diff --git a/config/controller/webhooks.yaml b/config/controller/webhooks.yaml
@@ -82,6 +82,25 @@ webhooks:
     resources:
     - persistentvolumeclaims
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-helm-crossplane-io-v1beta1-release
+  failurePolicy: Fail
+  name: releases.vshn.appcat.vshn.io
+  rules:
+  - apiGroups:
+    - helm.crossplane.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - DELETE
+    resources:
+    - releases
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

diff --git a/pkg/controller/webhooks/release.go b/pkg/controller/webhooks/release.go
@@ -0,0 +1,72 @@
+package webhooks
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-logr/logr"
+	helmv1beta1 "github.com/vshn/appcat/v4/apis/helm/release/v1beta1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+//+kubebuilder:webhook:verbs=delete,path=/validate-helm-crossplane-io-v1beta1-release,mutating=false,failurePolicy=fail,groups="helm.crossplane.io",resources=releases,versions=v1beta1,name=releases.vshn.appcat.vshn.io,sideEffects=None,admissionReviewVersions=v1
+
+var _ webhook.CustomValidator = &ReleaseDeletionProtectionHandler{}
+
+type ReleaseDeletionProtectionHandler struct {
+	client client.Client
+	log    logr.Logger
+}
+
+// SetupNamespaceDeletionProtectionHandlerWithManager registers the validation webhook with the manager.
+func SetupReleaseDeletionProtectionHandlerWithManager(mgr ctrl.Manager) error {
+
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&helmv1beta1.Release{}).
+		WithValidator(&ReleaseDeletionProtectionHandler{
+			client: mgr.GetClient(),
+			log:    mgr.GetLogger().WithName("webhook").WithName("release"),
+		}).
+		Complete()
+}
+
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
+func (p *ReleaseDeletionProtectionHandler) ValidateCreate(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	// NOOP for now
+	return nil, nil
+}
+
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
+func (p *ReleaseDeletionProtectionHandler) ValidateUpdate(_ context.Context, _, _ runtime.Object) (admission.Warnings, error) {
+	// NOOP for now
+	return nil, nil
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
+func (p *ReleaseDeletionProtectionHandler) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+
+	release, ok := obj.(client.Object)
+	if !ok {
+		return nil, fmt.Errorf("object is not valid")
+	}
+
+	l := p.log.WithValues("object", release.GetName(), "release", release.GetNamespace(), "GVK", release.GetObjectKind().GroupVersionKind().String())
+
+	compInfo, err := checkManagedObject(ctx, release, p.client, l)
+	if err != nil {
+		return nil, err
+	}
+
+	if compInfo.Exists {
+		l.Info("Blocking deletion of release", "parent", compInfo.Name)
+		return nil, fmt.Errorf(protectedMessage, "release", compInfo.Name)
+	}
+
+	l.Info("Allowing deletion of release", "parent", compInfo.Name)
+
+	return nil, nil
+}